This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.
Handling of new Domains (DKIM/SPF Records, Etc.)¶
Why SPF / DKIM¶
Defense against spam:
Make it harder to abuse domain for phishing
Don’t allow sending mails in our name
Ensure legitimate mails aren’t classified spam or rejected
What’s Needed for DKIM¶
For DKIM one DNS records is required that identical for all customers, installations and domains.
What’s Needed for SPF¶
For SPF a DNS records is needed that includes our SPF policy (
In the wild you’ll encounter …:
… domains that already have a SPF record.
In which case you insert
v=spf1 ip4:184.108.40.206/19 redirect=spf.mail.hostpoint.ch -all
v=spf1 ip4:220.127.116.11/19 include:spf.tocco.ch redirect=spf.mail.hostpoint.ch -all
include:spf.tocco.chcan appear anywhere between
… domains that have no SPF records yet.
In this case we’ll have to find out what other providers send mails using the domain.
Common examples for other providers:
? (required record varies)
It’s also common to send mails from ones own machines:
specific IP range
Essentially we’ll have to create a SPF record like this:
v=spf1 include:spf.tocco.ch [OTHER_PROVIDERS]... -all
Who has to Update the Records¶
In most cases DNS is managed by the customer or a third party.
Some domains are managed by us. In this case we have to make DNS adjustments ourselves.
See also Who has to Update the DNS Record?.
How to Collect the Required Information¶
Phase 1: Collect Domains Customer wants to Use¶
When is the information collected and who collects it?
New customers / initial domains:
Information is collected during preliminary project phase.
Existing customer / new domains:
Project manager, BS or sales receive request to add or remove domain(s).
What information is needed?
What domains will be used to access Tocco via browser (webpage hosted in Tocco, intranet and backoffice)?
(Existing customers: what domains need to added or removed.)
What domain will be used in email sender addresses?
(Existing customers: what domains need to be added or removed.)
One domain is required to be able to send basic system mails. For instance, to be able to reset ones password.
example.com (includes email@example.com)
student.example.com (includes firstname.lastname@example.org)
What to do with the collected information?
Create a ticket for BS describing what domains need to be added or removed. From that point on BS will handle all that’s required. This includes further inquiries, communicating the required DNS changes, and issuing TLS certificates.
Phase 2: Perform Required Changes / Contact Customer (BS)¶
This is done by BS after receiving a ticket.
What needs to be done?
Check if we manage DNS for that domain. See Who has to Update the DNS Record?.
If we don’t manage the domain, fetch registration details via https://www.nic.ch/whois/ (.ch domains) or https://whois.domaintools.com. Keep the information handy in case the customer does not know who manages DNS for it.
Check current SPF record. Online tool: SPF validation.
If none exists, ask the customer what other services send mails for that domain. Then construct a new SPF record. See also What’s Needed for SPF above.
If one exists, have
include:spf.tocco.chinserted into the record
Check current DKIM record. Online tool: dnslookup (replace ‘tocco.ch’ with actual domain)
If it doesn’t exists yet, have it added. See Create DKIM Record.